Console
    Contact Us Start free

    Collect Twingate VPN logs

    Supported in:

    Overview

    This Twingate parser extracts fields from Twingate VPN JSON logs, normalizes them, and maps them to the Unified Data Model (UDM). It handles various event types, including connection details, user information, resource access, and intermediary relays, enriching the data with metadata like vendor and product information.

    Before you begin

    Ensure that you have the following prerequisites:

    • Google SecOps instance.
    • Privileged access to AWS IAM and S3.

    Configure Amazon S3 bucket

    1. Create Amazon S3 bucketfollowing this user guide: Creating a bucket
    2. Save bucket Nameand Regionfor future reference.

    3. Create a Userfollowing this user guide: Creating an IAM user .

    4. Select the created User.

    5. Select Security credentialstab.

    6. Click Create Access Keyin section Access Keys.

    7. Select Third-party serviceas Use case.

    8. Click Next.

    9. Optional: add description tag.

    10. Click Create access key.

    11. Click Download .csv filefor save the Access Keyand Secret Access Keyfor future reference.

    12. Click Done.

    13. Select Permissionstab.

    14. Click Add permissionsin section Permissions policies.

    15. Select Add permissions.

    16. Select Attach policies directly.

    17. Search for AmazonS3FullAccesspolicy.

    18. Select the policy.

    19. Click Next.

    20. Click Add permissions.

    Configure Twingate sync with Amazon S3

    1. Go to the Twingate Admin Console.
    2. Go to Settings > Reports.
    3. Click Sync to S3 Bucket.

    4. Configure the S3 Sync:

      • Bucket Name: Provide the name of your S3 bucket.

      • Access Key ID: Enter the Access Key.

      • Secret Access Key: Enter the Secret Key.

    5. Click Start Syncing.

    Set up feeds

    To configure a feed, follow these steps:

    1. Go to SIEM Settings > Feeds.
    2. Click Add New Feed.
    3. On the next page, click Configure a single feed.
    4. In the Feed namefield, enter a name for the feed; for example, Twingate Logs.
    5. Select Amazon S3as the Source type.
    6. Select Twingateas the Log type.
    7. Click Next.

    8. Specify values for the following input parameters:

      • Region: the region where the Amazon S3 bucket is located.
      • S3 URI: the bucket URI. s3:/BUCKET_NAME Replace the following:
        • BUCKET_NAME : the name of the bucket.
      • URI is a: select Directory.
      • Source deletion options: select deletion option according to your preference.
      • Access Key ID: the User access key with access to the s3 bucket.
      • Secret Access Key: the User secret key with access to the s3 bucket.

    9. Click Next.

    10. Review your new feed configuration in the Finalize screen, and then click Submit.

    Field mapping reference

    This parser transforms raw Twingate logs in JSON format into UDM. It normalizes the data and extracts relevant information, mapping it to corresponding UDM fields.

    UDM Mapping Table

    Log Field UDM Mapping Logic
    connector.id
    		read_only_udm.additional.fields[].key Set to "connector_id".
    connector.id
    		read_only_udm.additional.fields[].value.string_value Value from connector.id .
    connector.name
    		read_only_udm.additional.fields[].key Set to "connector_name".
    connector.name
    		read_only_udm.additional.fields[].value.string_value Value from connector.name .
    connection.bytes_received
    		read_only_udm.network.received_bytes Value from connection.bytes_received (converted to an unsigned integer).
    connection.bytes_transferred
    		read_only_udm.network.sent_bytes Value from connection.bytes_transferred (converted to an unsigned integer).
    connection.client_ip
    		read_only_udm.principal.asset.ip Value from connection.client_ip .
    connection.client_ip
    		read_only_udm.principal.ip Value from connection.client_ip .
    connection.protocol
    		read_only_udm.network.ip_protocol Value from connection.protocol (converted to uppercase).
    device.id
    		read_only_udm.principal.user.product_object_id Value from device.id .
    event.id
    		read_only_udm.metadata.event_id Value from event.id
    event.time
    		read_only_udm.metadata.event_timestamp.seconds Seconds part of the timestamp from event.time .
    event.type
    		read_only_udm.event.type Value from event.type .
    event.version
    		read_only_udm.metadata.product_version Value from event.version .
    relays[].ip
    		read_only_udm.intermediary.ip Value from relays[].ip .
    relays[].name
    		read_only_udm.intermediary.hostname Value from relays[].name .
    relays[].port
    		read_only_udm.intermediary.port Value from relays[].port (converted to an integer).
    remote_network.id
    		read_only_udm.network.session_id Value from remote_network.id .
    remote_network.name
    		read_only_udm.network.dhcp.sname Value from remote_network.name .
    resource.address
    		read_only_udm.principal.asset.hostname Value from resource.address .
    resource.address
    		read_only_udm.principal.hostname Value from resource.address .
    resource.id
    		read_only_udm.resource.product_object_id Value from resource.id .
    resource.port
    		read_only_udm.principal.port Value from resource.port (converted to an integer).
    status
    		read_only_udm.security_result.summary Value from status .
    time
    		read_only_udm.event.timestamp.seconds Seconds part of the timestamp from time .
    user.email
    		read_only_udm.principal.user.email_addresses Value from user.email .
    user.id
    		read_only_udm.principal.user.userid Value from user.id .

    Need more help? Get answers from Community members and Google SecOps professionals.

    Design a Mobile Site
    View Site in Mobile | Classic
    Share by: